REMARKS 

The claims remaining in the present application are Claims 1-33. The 
Examiner is thanked for performing a thorough search. Claims 1 and 23 have been 
amended. No new matter has been added. For example, support for the 
amendments to Claims 1 and 23 can be found in original Claim 12 which recites, 
"virtually reconfigure said at least one switch, an associated switch, in order to 
virtually isolate said comp uting resource from remaining computing resources in 
said network of computing resources" (emphasis added). Further, since support for 
the amendments can be found in origin a l Claim 12. the next Office Action should not 
be a final since these amendments wo u ld not cause a new search to be performed. 

CLAIM REJECTIONS 
" ' 35 U.S.C. 6102 

Claims 1-33 

In paragraph 4 of the Office Action, Claims 1-33 are rejected under 35 U.S.C. 
§1 02(e) as being anticipated by U.S. Patent Publication No. 2004/0148520 by 
Talpade et al. (referred to hereinafter as "Talpade"). Applicants respectfully submit 
that embodiments of the present invention are neither taught nor suggested by 
Talpade. "" : ^iik,^,:,:.; 

Claim 1 recites, 

A method for responding to network intrusions, comprising: 

a) receiving an intrusion detection system (IDS) alert from an IDS 
sensor located in a network of computing resources, wherein said IDS alert 
indicates an unauthorized intrusion upon a remotely located computing 
resource in said network of computing resources; 

b) identifying said IDS alert; 

c) determining an appropriate response to said IDS alert that is 
identified at a location separate from said remotely located computing 
resource so that said determining said appropriate response is unaffected bv 
said unauthorized intrusion; and 

d) automatically implementing said appropriate response to mitigate 
damage to said network of computing resources from said unauthorized 
intrusion by isolating said remotely located computing resource. 

According to the Federal Circuit, "[ajnticpation requires the disclosure in a 
single prior art reference of each claim under consideration" (W.L. Gore & Assocs. 
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v. Garlock Inc., 721 F.2d 1540, 220 USPQ 303, 313 (Fed. Cir. 1983)). However, it is 
not sufficient that the reference recite all the claimed elements. As stated by the 
Federal Circuit, the prior art reference must disclose each element of the claimed 
invention "arranged a s in the claims " (emphasis added; Lindermann 
Maschinenfabrik GmbH v. American Hoist & Derrick Co., 730 F.2d 1452, 221 USPQ 
481, 485 (Fed. Cir. 1984)). 

Applicant respectfully submits that Talpade does not teach or suggest, 
"...isolating said remotely located computing resource," as recited by Claim 1. For 
example, network traffic is sent from a first computer to a second computer through 
an internet service provider (ISP). From line 14 of paragraph 0008 to the end of 
paragraph 0010, Talpade states, 

When the sensor detects an attack, it notifies an analysis engine located in 
the ISP. . .The analysis.engine. . . j adve rtises new routing information to the 
border and edge routers ... The new routing information instructs the border 
and edge routers to reroute all DDoS, and non-DDoS traffic... The redirected 
DDoS and non-DDoS traffic from the border and edge routers is automatically 
passed through these filters, removing the DDoS traffic The non-DDoS 
traffic is forwarde d back onto the ISP network and routed towards the 
customer network , (emphasis added) ~~ 

Talpade teaches reconfiguring -routers to reroute traffic away from the network being 
protected. Talpade runs inside of an ISP network and teaches specifically about 
protecting the ISP's customer's network from attacks which originate outside that 
customer's network. Talpade cannot protect the customer's network from attacks 
that originate from within the customer's network. For example, Talpade states in 
paragraph 0017, "In accordance with our invention, the sensors 234/236 monitor all 
traffic entering the customer networks 204/2o6 from the ISP network " (emphasis 
added). 



In contract, Claim 1 recites, "isolating said remotely located computing 
resource." As a result, Claim 1 provides protecting assets within the customer's 
network regardless of the sotf&'bf the attacksrahd in particular protecting against 
attacks originating from within the customer's network. Further, implementations of 
an embodiment as recited by Claim 1 can reside anywhere in a network topology, 
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whereas as already stated, Talpade is limited to residing within an ISP. Lastly, by 
"isolating said remotely located computing resource" the resource can continue to 
operate even after it has been isolated, for example by removing its network 
connections, which means that its state may be saved, and/or enables someone to 
examine an intrusion, such as malicious code, in action (for example by using the 
system console to log in) without fear of the "unauthorized intrusion" spreading. 

Applicant respectfully points out that by making note of things that "isolating 
said remotely located computing resource" provides for, Applicant is not reading 
limitations into Claim 1. Claim 1 recites "isolating said remotely located computing 
resource," which provides for protecting assets within the customer's network 
regardless of the source of the attacks, provides for an implementation that can 
reside anywhere in a network topology, and provides for the isolated resource to 
continue to operate even after it has been isolated. 

Applicant further notes that by teaching that it is difficult to mitigate DDoS 
attacks at the target (refer to lines 17 and 1 8 of paragraph 0007), teaching that 
conventional systems require dedicated hardware (refer to lines 1-4 of paragraph 
0007) in combination with teaching rerouting at the ISP, Talpade teaches awav from 
"isolating said remotely located computing resource." Therefore, it wonlri 
improper to combine Talpade with another ref e rence in a f..t.,re Office Action tn 
reject embodiments recited hv claims in th* instant application serial no 
10/678.333 . 

The Office Action cited paragraphs 0023-0027 and elements 234, 236, 204 in 
Figure 2 of Talpade against Claim 1. Paragraphs 0023-0027 and elements 234, 
236, 204 in Figure 2 of Talpade suffer from the same deficiency that line 14 of 
paragraph 0008 to the end of paragraph 0010 of Talpade suffer from. 

Therefore, Talpade does not teach or suggest, among other things 
"...isolating said remotely located computingiesource," as recited by Claim 1 
Independent Claims 12 and 23 should be patentable for similar reasons that Claim 1 
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should be patentable. Further Claim 12 recites "at least one switch," and "a power 
controller." The Office Action failed to cite portions of any reference that teach "at 
least one switch" and "a power controller." 

Claims 2-1 1 depend on Claim 1. Claims 13-22 depend on Claim 12. Claims 
24-33 depend on Claim 23. These dependent claims include all of the limitations of 
their respective independent claims. Further, these dependent claims include 
additional limitations which further make them patentable. 

For example, Claims 6 and 28 provide for powering off a resource, such as a 
host computer system, which prevents further damage to the resource, for example 
by continued deletion of data, and prevents further spread of an intrusion, for 
example by malicious software on that resource. In paragraph 9 of the office action, 
the examiner states that Talpade, in paragraph 0027, discloses a method to power 

off the computing resource. Applicant respectfully submits that Talpade does not 

.', 'f t , H . - 

disclose a method to power off a computing resource, nor power off anything else, 
neither in paragraph 0027 nor anywhere else in the application. The first sentence 
of paragraph 0027 states "... assists in shutting-down DDoS attacks at the edge of 
the ISP network." This is very different from "shutting power" to a computing 
resource. Talpade "shuts down" the attack by rerouting packets. In contrast, Claims 
6 and 28 provide for pd'werirtg'Wthe coriiputirig resbUrce(s) which have been 
affected by an unauthorized intrusion, such as malicious code. It is clear that 
Talpade doesn't use the words "shut down" to mean powering off his "targeted" 
resources, because they are located outside of the ISP network at the Peer 
Autonomous Systems 210 and 220, and are not under control of the ISP; thus, the 
ISP would have no capability. tojpower them off. Therefore, Talpade actually 
teaches awav from shutting power to a computer resource. 

In another example, Claims 7-10, and 29-32 provide for disabling the switch 
ports to which the intruded system is directly physically attached so that it can't send 
any traffic at all on any network. In paragraph 10 of the office action, the examiner 
states that Taipade'discibses^the same"method! Applicant" respectfully submits that 
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Talpade does not disclose a method to disable the switch ports to which the 
intruded system is directly physically attached. Rather, Talpade uses the 
mechanism of reconfiguring the routers through which the packets are flowing to 
redirect the path those packets will travel. Note that Talpade's system is still 
connected to all of its networks, including Ethernet, SAN, Token Ring, or any others. 
Therefore, Talpade cannot stop the attack at its source; it merely prevents the attack 
packets from entering the ISP's customer's network, and leaves other networks 
potentially vulnerable. Thus, packets could be sent to other networks, many of 
which may not have the protection offered by the Talpade invention, and data on a 
SAN could be altered or destroyed by malicious software running on Talpade's 
"targeted" resource, even if the Talpade invention were properly and completely 
implemented in all networks in the entire world. Talpade merely prevents the 
malicious traffic from flowing through the ISP network to the customer network. In 
contrast, Claims 7-10 and 24-32 provide for preventing the intruded system from 
communicating to any other system by disabling the switch ports to which the 
intruded system is directly physically attached, which is distinct from and in some 
cases better than rerouting traffic at the routers. For example, the intruded resource 
can continue to operate without network connections, which means that its state 
may be saved, and/or enables someone to examine the malicious code in action (for 
example by using the system console to log in) without fear of spreading for 
example, an unauthorized intrusion such as an infection. 

These dependent claims should be patentable for at least the reasons that 
their respective independent claims should be patentable. 
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CONCLUSION 



In light of the above listed amendments and remarks, reconsideration of the 
rejected claims is requested. Based on the arguments and amendments presented 
above, it is respectfully submitted that Claims 1-33 overcome the rejections of record. 
For reasons discussed herein, Applicant respectfully requests that Claims 1-33 be 
considered be the Examiner. Therefore, allowance of Claims 1-33 is respectfully 
solicited. 

Should the Examiner have a question regarding the instant amendment and 
response, the Applicant invites the Examiner to contact the Applicant's undersigned 
representative at the below listed telephone number. 



Respectfully submitted, 
WAGNER, MURABITO & HAO LLP 



Dated: ■ 2007 




John P. Wagner Jr. 
Registration No. 35,398 




Address: 



Westridge Business Park 
123 Westridge Drive 
Watsonville, California 95076 USA 



Telephone: 



(408) 938-9060 Voice 
(408) 234-3749 Direct/Cell 
(408) 763-2895 Facsimile 
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